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NASA Engineering and Safety Center (NESC) 


The NASA Engineering and Safety Center (NESC), initially formed in 2003, is an 
independently funded NASA Program whose dedicated team of technical experts provides 
objective engineering and safety assessments of critical, high risk projects. The GN&C 
Technical Discipline Team (TDT) is one of fifteen such discipline -focused teams within the 
NESC organization. The TDT membership is composed of GN&C specialists from across 
NASA and its partner organizations in other government agencies, industry, national 
laboratories, and universities. This paper will briefly define the vision, mission, and purpose 
of the NESC organization. The role of the GN&C TDT will then be described in detail along 
with an overview of how this team operates and engages in its objective engineering and 
safety assessments of critical NASA projects. This paper will then describe selected recent 
experiences, over the period 2007 to present, of the GN&C TDT in which they directly 
performed or supported a wide variety of NESC assessments and consultations. 


T HE National Aeronautics and Space Administration (NASA) Engineering Safety Center (NESC) was initially 
formed in July of 2003 in the wake of the Columbia tragedy. After 7 years of operation and after having 
completed over 300+ technical assessments the NESC has become the “value added” independent technical 
organization for the Agency. NESC is an independently funded NASA program whose dedicated team of technical 
experts coordinates and conducts objective engineering and safety assessments of critical, high risk projects. The 
NESC is a strong technical resource for customers and stakeholders seeking responsive service for solving the 
Agency’s difficult problems. NESC’s strength is rooted in the diverse perspectives and broad knowledge base that 
add value to its products, affording customers a responsive, alternate path for assessing and preventing technical 
problems while protecting vital human and national resources. NESC provides timely technical positions to its 
customers and stakeholders based on independent test and analysis, not opinion. 

By encouraging alternative viewpoints and ensuring objective reporting methods, NESC is able to serve as a 
uniquely unbiased assessment resource. NESC’s technical evaluation and consultation products are delivered in the 
form of written reports that include solution-driven, preventative, and corrective recommendations. The NESC 
communicates its Lessons Learned from each assessment to NASA’s leadership through bi-annual briefings and to 
engineers through both the Agency Lesson Learned system and a series of NESC Technical Bulletins issued 
periodically. These communication channels function to inform the NASA technical community and, therefore, 
NESC’s customers and stakeholders. NESC’s range of services includes testing, analysis, and data review in fifteen 
engineering disciplines. NESC also engages in proactive discipline advancing activities. 

The Guidance, Navigation, and Control (GN&C) Technical Discipline Team (TDT), the primary subject of this 
paper, is one of fifteen (15) such discipline-focused teams within the NESC organization. It is formed, maintained 
and led by the NASA Technical Fellow for GN&C. The TDT membership is composed of senior GN&C engineers 
from across NASA’s Field Centers as well as from its partner organizations in other government agencies, industry, 
national laboratories, and universities. 

This paper will briefly define the vision, mission, and purpose of the NESC organization. The role of the GN&C 
TDT will then be described in detail along with an overview of how this team operates and engages in its objective 
engineering and safety assessments of critical NASA projects. Several recent, 2007 to present, experiences will then 
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be described in which the GN&C TDT performed or supported a wide variety of NESC assessments and 
consultations. 


I. NESC Vision, Mission, and Organization 

One of the tenets of an effective safety philosophy is to provide an avenue for independent assessment of the 
technical aspects and risks of critical systems. NESC offers this alternate reporting path for all NASA programs and 
projects. 

The vision that NESC has for itself is to serve as the independent and objective deep technical resource of choice 
for NASA Programs and other government agencies. As its fundamental mission the NESC strives to set the 
example for engineering and technical excellence within NASA. The primary purpose of this independent and 
objective organization is to increase safety through engineering excellence. NESC collaborates with its customers 
and stakeholders to ensure the safety and success of their programs and projects. A resource for the Agency, the 
NESC is a unique and valuable asset for the high-risk programs that NASA undertakes. 

At the core of the NESC is an established knowledge base of technical specialists pulled from the ten NASA 
Centers and from a group of partner organizations external to the Agency. This ready group of engineering experts is 
organized into 15 discipline areas called Technical Discipline Teams (TDTs). TDT members are drawn from NASA, 
industry, academia, and other government agencies. By drawing on the minds of leading engineers from across the 
country, the NESC consistently solves technical problems, deepens its knowledge base, strengthens its technical 
capabilities, and broadens its perspectives, thereby further executing its commitment to engineering excellence. 

The organizational structure of the NESC is based on maintaining a diverse and broad base of knowledge, 
keeping informed and engaged with each Center and the Agency’s major programs, responding efficiently to 
requests for assistance, and retaining a high degree of independence. There are some 50+ full-time NESC-badged 
employees, the majority of which are based at NESC Headquarters located at NASA’s Langley Research Center in 
Hampton, Virginia. Over 550 other engineers nationwide are employed part-time by NESC as the members of the 
15 TDTs. 

To achieve the goals stated above, the NESC is organized into six distinct offices: 

NASA Technical Fellows assemble, maintain and provide leadership for the TDTs and are stewards for their 
disciplines. The Technical Fellows serve as the senior technical experts for the Agency in support of the Office of 
the Chief Engineer and the NESC. They are an independent resource to the Agency and industry to resolve complex 
issues in their respective discipline areas. While they all lead their own NESC TDTs some Technical Fellows may, 
in addition, also lead Agency-wide discipline Working Groups. Specifically, the Technical Fellows are responsible 
for: 1) fostering consistency of Agency-level standards and specifications, 2) promoting discipline stewardship 
through workshops, conferences and discipline advancing activities, and 3) ensuring that Lessons Learned are 
identified and incorporated into Agency processes. 

NESC Chief Engineers provide insight into their Centers’ programs and help to coordinate the facilities and 
resources of each Center when required to support NESC activities. NESC also proactively exploits its network of 
Center -based NESC Chief Engineers for outreach to and communications with the broad NASA community. The 
Chief Engineers also coordinate with the NASA Technical Fellows in the process of identifying potential discipline 
issues and problems to be addressed proactively by the NESC. 

Principal Engineers use TDT members provided by the NASA Technical Fellows and resources arranged by the 
NESC Chief Engineers to lead independent technical reviews, assessments, tests, and analyses. 

The Systems Engineering Office dispositions requests as they come in, performs proactive trending analysis and 
problem identification, and provides other integration and system engineering support. 

The Management and Technical Support Office is the business arm of the NESC, taking care of the contracting, 
budgeting, and management of the NESC’s infrastructure. 
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Under the leadership of the Director’s Office, these five components come together to form the heart of the 
NESC — the NESC Review Board (NRB). The life cycle, from initial assessment plans to interim status briefings to 
final reports, of every formal activity performed by the NESC requires approval of the NRB. The NRB is a vital 
peer review process for the NESC which directly supports the development of high quality end products for 
stakeholders. All NESC reports must be reviewed and approved by the NRB prior to out -briefing the stakeholders. 
The NRB brings a diversity of thought to the decision-making process. It is an amalgam of people representing 
different Centers, programs, and engineering backgrounds. 

After an activity performed by the NESC has concluded, results are delivered to the stakeholders in the form of 
written engineering reports that include solution-driven preventative and corrective recommendations. The NESC 
strives to set the example for the Agency by providing full and appropriate documentation of every activity. Along 
with each report, lessons learned are communicated to Agency leadership and to engineers through avenues such as 
the Agency’s Lessons Learned system, the reports themselves, and the periodic NESC Technical Bulletins. 

In addition to acting on requests from outside of the NESC, another important function of the NESC is to engage 
in proactive investigations to identify and address potential concerns before they become major problems. To further 
this goal, the NESC is currently leading NASA’s efforts for independent data mining and trend analysis. The 
NESC has established a Data Mining and Trending Working Group that includes representatives from all NASA 
Centers as well as external to the Agency. 

II. NESC GN&C TDT 

The GN&C TDT is a technical resource that supports the NESC and the NRB-approved independent assessment 
teams. The primary purpose of the GN&C TDT is to engage in the resolution of GN&C related issues throughout 
the agency when directed by the NRB or by NESC senior leadership. A secondary purpose of the GN&C TDT is to 
proactively identify Agency-wide GN&C engineering discipline issues and problems. 

The GN&C TDT is assembled, maintained, and managed by the NASA Technical Fellow for GN&C. The 
GN&C resources (subject matter experts, tools, and test facilities) required to support the assessment teams and 
other GN&C-specific NESC activities come from the TDT. The GN&C TDT is cognizant of all GN&C related 
assessments to ensure adequate and timely GN&C expertise support. This is accomplished via bi-weekly 
teleconference meetings and also with annual face-to-face meetings of the TDT. These and other communication 
mechanisms (e.g. a NESC-internal GN&C TDT secure website has been established to post team news and other 
information) are used to unite the TDT members located across NASA. 

The GN&C TDT consists of individuals that are experts in a wide range of GN&C sub -disciplines including 
GN&C systems, GN&C analysis, GN&C components and hardware systems (sensors, actuators, interfacing 
hardware systems), GN&C software, flight dynamics, mission design, flight operations, launch vehicle flight 
mechanics analyses, and launch vehicle guidance systems. As mentioned above, this team of experts collectively 
serves as discipline "think tank” to identify potential GN&C issues and problems to address proactively by the 
NESC. 

Given the wide-breath and depth required to adequately staff the GN&C TDT as well as to support multiple 
assessments simultaneously, a staffing model has been developed to recruit and staff the GN&C discipline TDT. 
This staffing model requires skill sets representing discipline systems experts, sub -discipline specific experts, and 
technical team support personnel. The GN&C TDT consists of a “core” group of approximately 20-30 discipline 
systems experts. It also consists of an extended team of about 5-6 specific experts from each of the sub-discipline 
areas of expertise that encompass the broad scope of the GN&C discipline at NASA. These sub -discipline experts 
are on call-up to the NASA Technical Fellow and to the core team. Approximately 100 GN&C experts, the majority 
of them being NASA Civil Servant employees from across the Agency, currently comprise the entire NESC GN&C 
TDT. When the operational function of the GN&C discipline TDT is constrained by limited Agency in-house 
staffing resources, additional GN&C discipline expertise from outside the NASA community (e.g., industry and 
academia) are exploited to augment the TDT membership. 
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The members of the “core” group are senior level individuals from across the Agency that have broad, but expert 
knowledge. These senior experts have in-depth knowledge of one, or several, GN&C expertise areas, but probably 
not all the GN&C areas of expertise. The individuals who make up the TDT’s “core” group possess exemplary 
leadership and teamwork skills since they both represent their Center’s GN&C engineering organization and also 
serve as the GN&C leadership interface to the NESC’s assessment teams. 

The sub-discipline specific experts are individuals that have in-depth experience and expertise in a specific 
GN&C area. These specific areas are defined by the TDT core group. For example, on the GN&C TDT, there will 
be sub-discipline experts in the following areas: inertial sensors, GPS navigation, spacecraft attitude determination 
and control, stellar/celestial sensors, formation flying, flight dynamics, aeronautical vehicle flight control, inter- 
planetary navigation, flight mechanics, reaction wheels, control moment gyros, controls structures interaction, 
mission design, launch vehicle guidance and control, etc. 

The technical support group is the third and last major component of the GN&C TDT. The technical support 
group is a small (about 3-5 people) contingent of individuals that support the NASA Technical Fellow for GN&C in 
the day-to-day management and operation of the GN&C TDT. These are typically GN&C engineers with perhaps 5- 
8 years of professional work experience. They contribute routine administrative and technical support (e.g., 
recording teleconference meeting minutes, providing logistics for the annual face-to-face meeting, updating the 
TDT’s internal website, etc.) while at the same time benefiting from the mentoring experience of working with the 
other TDT members. The technical support group, by virtue of their role on the TDT, has exposure to a wide range 
of GN&C problem from across NASA as well as the opportunity to witness first hand the problem solving skills of 
some the Agency’s senior GN&C engineers. This has turned out to be a win-win situation that both benefit the 
operation of the TDT and the technical support group personnel. 

In closing this section of the paper there are some general observations that should made regarding the 
multiple benefits of serving as a TDT member. Working as a member of an NESC TDT clearly offers challenging 
opportunities. Members of the TDT interact with other subject matter experts from across NASA, industry, 
academia, and other government agencies to address a broad spectmm of discipline technical issues. TDT members 
also find that working within the NESC organizational structure permits an exposure to other NASA programs, 
projects, cultures, methods, and business practices from across the Agency. Typically this allows experiences to be 
gained outside one’s normal work area within a single NASA Center organization. The experience should broaden 
one’s horizons via the wide network of job-related interactions. There will be technically challenging and diverse 
assignments of a high impact/high feedback/high visibility nature. Serving on a TDT provides an avenue for both 
professional growth and positive recognition, not only within the discipline Community of Practice but also within 
the NESC’s customer and stakeholder community. The overall TDT experience is one that should provide 
motivated, tenacious, and intellectually curious team members with a very high degree of job satisfaction. 

III. Experiences of the NESC GN&C TDT 

The GN&C TDT has engaged in multiple NESC assessments, consultations and reviews since the NESC became 
an operational organization in November of 2003. Reference 1 provides a description of NESC GN&C TDT 
activities over the period from late 2003 to mid-2007. 

In this section several of the most recent TDT experiences will be highlighted. In certain cases significant 
relevant technical details will be provided as background. These experiences, which occurred over the period from 
2007 to present, were selected to illustrate the variety of work the GN&C TDT engages in. The reader will see that 
the GN&C TDT supported both human spaceflight projects and robotic spaceflight projects. The time durations over 
which the work was performed varied from durations of a few weeks to a month or two for the smaller scale quick- 
reaction peer review tasks to durations of several months to over a year for larger scale efforts. In cases where the 
task was primarily focused on a specific GN&C discipline issue, the work was performed exclusively by the NASA 
Technical Fellow for GN&C and/or small contingents of GN&C TDT members. In other cases that required a more 
multi-disciplinary approach the GN&C TDT members supported the task as part of a larger, integrated NESC team 
effort under the direction and leadership of an NESC Project Engineer. As with the majority of NESC endeavors, 
experts from virtually all NASA Centers, other government agencies, national laboratories, academia, and industry 
were involved in conducting these activities. 
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A. Max Launch Abort System (ML AS) Flight Test Assessment 


The NESC designed, developed, and flew the alternative Max Launch Abort System (MLAS) as risk mitigation 
for the baseline Orion spacecraft Launch Abort System (LAS) already in development. The NESC was tasked with 
both formulating a conceptual Objective System (OS) design of this alternative MLAS as well as demonstrating this 
concept with a simulated pad abort flight test. The goal was to obtain sufficient flight test data to assess 
performance, validate models/tools, and to reduce the design and development risks for a MLAS OS. 

In June 2007, the Associate Administrator for the Exploration Systems Mission Directorate (ESMD) requested 
the NESC undertake the MLAS Project. The MLAS was named after Maxime (Max) Laget. Dr. Laget was the lead 
designer of the Mercury space capsule and developed its abort system called the “Aerial Capsule Emergency 
Separation Device”. It was in his honor that the MLAS was named. His innovative spirit and his team’s rapid 
development of new technologies formed the inspiration for the MLAS project. 

The charter for the MLAS project was to develop, design, and test an alternate concept for the Orion Crew 
Exploration Vehicle (CEV) LAS. MLAS would be theoretically capable of extracting the Orion vehicle from the 
launch vehicle at any time from crew ingress at the launch pad through staging and ignition of the second or upper 
stage of the Ares I crew launch vehicle. The MLAS Project would conclude with at least one full-scale unmanned 
pad abort (PA) test suitable for demonstrating the viability of this alternate LAS concept. The MLAS project would 
be run independently from the Constellation Program (CxP) and Orion Project in order to minimize impact on in- 
line program resources. It was dictated that off-the-shelf hardware and existing technology would be used wherever 
possible on MLAS. Design and development work previously accomplished by the NESC would be leveraged for 
this project. Previous work includes the CEV Smart Buyer Design (SBD), Composite Crew Module (CCM), and the 
Alternate Launch Abort System (ALAS). This NESC infrastructure was used to form the NASA-wide MLAS 
Project team. For example, members of the GN&C TDT (Reference 1) were recruited to serve on the MLAS GN&C 
team and other members were subsequently recruited to serve as peer reviewers of the GN&C team’s work. 

The origins of the tower-less MLAS FTV can be traced to the initial notional ‘back of the napkin’ drawing (see 
Figure la) that was conceived during a CEV Smart Buyer Design study outbrief brainstorming session in March 
2006. Subsequently a refined MLAS drawing (see Figure lb) was provided to NESC in June 2007 by Scott “Doc” 
Horowitz, the Associate Administrator for the ESMD at the time MLAS was initiated, as a notional point of 
departure for the early system level trades and vehicle configuration studies. It is interesting to compare the final 
MLAS FTV prelaunch physical configuration (see Figure lc) with the original notional drawings depicted in Figure 
la and Figure lb. One can clearly see that the MLAS abort system concept differs from Orion LAS in that it uses 
side-mounted abort motors instead of a tower-tractor abort motor design that pulls the CM from above. The tower 
abort motor has been designed out of the MLAS concept and the CM fully encapsulated in a forward fairing (FF). 

The MLAS GN&C team was formed in July 2007 and was given the responsibility for modeling, simulating and 
analyzing the trajectory and attitude dynamics of the MLAS Flight Test Vehicle (FTV) during its simulated pad 
abort flight. The GN&C team ensured that the flight test occurred within the envelope defined by the requirements, 
and they constructed the nominal target flight timeline and trajectory. All of the MLAS trajectory and attitude flight 
instrumentation equipment, including the Inertial Measurement Units (IMUs) and Global Positioning System (GPS) 
receivers were selected by the GN&C team. These navigation sensors were chosen to generate flight test data that 
would permit post-flight reconstruction of MLAS vehicle trajectory and attitude dynamics. Analyses performed by 
the GN&C team determined ballasting, motor alignment, and launch stand angle requirements. Over the course of 
the MLAS Project the GN&C team worked closely with the System Engineering and Integration (SE&I), 
Aerodynamics, Landing and Recovery System (L&RS), Propulsion, Avionics, Software, Structures, and Loads & 
Dynamics teams and also with the MLAS Chief Engineer. The MLAS Project was by far the most extensive activity 
undertaken by the GN&C TDT over the period of time being covered in this paper. 

The MLAS simulated pad abort flight test was successfully conducted from Wallops Island on 8 July 2009. 
Figure 2 shows the MLAS FTV shortly after abort motor ignition. Figures 3 and 4 depict the CM altitude versus 
range and the CM altitude versus time, respectively. Figures 3 and 4 show the position data from the GPS receivers 
alongside the pre-flight predictions made with the wind, density, static pressure and speed of sound data from the L- 
3 minute balloon sonde. The as-flown flight trajectory was somewhat steeper than that which was predicted in the 
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pre-flight simulation; however, the trajectory deviation from the prediction was within 0.75 standard deviations in 
all directions. 



Figure 1. MLAS FTV: a) First notional conceptual drawing (2006), b) Refined conceptual drawing (2007), 
and c) Mounted on launch stool at Wallops Island (2009) 



Figure 2. Launch of MLAS FTV from Wallops Flight Facility (8 July 2009) 
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Down Range, ft 


Figure 3. MLAS CM altitude versus range. 



Time - sec 


Figure 4. CM altitude versus time. 
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The GN&C TDT can look back upon the MLAS experience and observe that less than two years after Project 
start the flight test of this alternative launch vehicle abort system was conducted in very close agreement with its 
operations concept. All the key flight test events occurred in the prescribed sequential order and within acceptable 
tolerances of the exact pre-planned time and flight dynamic conditions. The entire flight test duration was 88 
seconds during which multiple staging events were performed, and nine separate critically timed parachute 
deployments occurred as scheduled. Overall the as-flown flight performance was as predicted prior to launch. 

The primary lesson learned on MLAS was the extent to which the design and integration of a launch abort 
system can impact and influence the overall launch vehicle/spacecraft system design, overall reliability, and 
performance capabilities. Several other important lessons learned coming out of this MLAS flight test experience 
are: 


> The need for all project team members to look beyond their immediate discipline task to think, speak up, and 
act like Systems Engineers for the benefit of the project. 

> The need for planned periodic crosschecks of critical analytical results by having technical ‘shoot outs’ 
between different engineering groups using different tools/methods to independently generate analytical 
products. 

> The need for periodic and informal face-to-face peer reviews; the emphasis should be on reviewing the 
details of modeling assumptions, analytic methods, uncertainty assumptions, simulation results, control law 
algorithm designs, software code, etc., and not on preparing formal presentations and responding to action 
items. 

r The need for stringent mass properties testing, and vehicle mass properties configuration control measures 
and routine periodic reports, especially on a passively controlled vehicle. 

r The degree of difficulty in safely and reliably performing precision alignment of the solid rocket abort 
motors was initially underestimated. 

r The need to manage and limit insidious unchecked vehicle mass growth which erodes flight performance, 
degrades system design robustness, increases parachute loads and generally diminishes the probability of 
overall mission success. Associated with this is the need to incorporate realistic growth margins into the 
vehicle’s design to mass budget. Also, this can be mitigated in part by defining a robust set of structural 
loads requirements as early as possible in the project design cycle. 

> A rapid prototyping activity like MLAS can be accomplished using virtual meeting technologies 
supplemented by periodic Co-Locations of the entire team and by leveraging modern online concurrent data 
sharing and configuration management capabilities. 


B. Constellation System Preliminary Design Review (PDR) Assessment 

The Constellation Chief Engineer requested the NESC to participate in the CxP Preliminary Design Review 
(PDR) process as the Independent Review Team (IRT). The NASA Technical Fellow for GN&C, along with 
members of his GN&C TDT, served on this IRT. The purpose of the IRT was to ensure technical issues were not 
overlooked due to familiarity with the PDR products. The IRT was asked to identify technical issues in three 
categories. The first category was an issue or resolution to an issue that was incomplete or not fully addressed. The 
second category was an issue that was not addressed. The third category was an issue that the IRT disagreed with its 
resolution or had a contrary opinion. 

The CxP PDR process, which culminated in April 2010, had the following several objectives: 

> Demonstrate the End-to-End (E2E) understanding of the IOC Mission and where the design is driven by the 
Lunar Mission 



> Demonstrate that the completed analysis and tests provide the results necessary to close the architecture to 
accomplish the Design Reference Missions 

> Demonstrate the architecture performance is capable of accomplishing the E2E mission with acceptable risk 

> Identify key architecture risks and associated mitigation status 

> Baseline Initial Capability Interface Requirements Documents (IRDs) and draft Spacecraft Interface Control 
Documents (ICDs) 

> Documented Program Test & Verification Strategy and draft System Integration Plans released 

> Define the Forward Work plan necessary for a successful CxP Critical Design Review (CDR) 


The IRT members first participated in a series of discipline-specific Face-to-Face Integration Reviews, each led 
by the respective Phase Lead Engineer. This was an excellent approach to somewhat informally ‘break the ice’ 
technically in each of the mission phases (e.g. Ascent, On-Orbit, Entry Descent & Landing, etc.) prior to the actual 
formal CxP PDR milestone. These mission phase reviews were held near the Johnson Space Center (JSC), Houston, 
Texas, over the period from November 2009 through December 2009. In addition, the IRT participated in the PDR 
kickoff meeting held the week of January 12, 2010 and the PDR Pre-Board and PDR Board meetings held the week 
of March 1, 2010. The IRT provided 41 Review Item Discrepancies (RIDs) and five comments in the RID system. 

Overall, the GN&C Technical Fellow and the participating members of the GN&C TDT believed the CxP PDR 
process was a good high-level review of the Program maturity and identified the issues, work completed, work to be 
performed, etc. The face-to-face meetings created an environment of open communication among all participants. 
The face-to-face teams were very receptive to the IRT’s comments and met separately with the IRT to alleviate 
concerns and issues. The RID Review Teams (RRT) attempted to understand the issues by speaking directly with 
the RID initiators rather than just reviewing the RIDs on paper. The RRTs tried to accommodate the initiators 
schedule and coordinated with them to be able to state their case directly. When impasses were reached, the reclama 
process was recommended to the initiators. The IRT agreed that the RRTs had worked with all the RID initiators to 
reach mutually agreeable resolutions to the issues that were raised and all RIDs that the IRT submitted were 
acceptably resolved. 

Clearly the PDR process was a very successful forcing function to bring forth "gaps” and discrepancies. The 
identification of these occurred because of the open communications with the IRT and between all levels of the 
Program and Projects. However, it was apparent that not all the needed integration was occurring during normal 
program functions prior to the PDR process. It is understandable to have elements that lag behind others when 
everyone is concentrating on their top issue or latest problem. New issues were raised and clarifications were 
generated during the PDR process. For example, a RID was written to address the fact that, as presented, the Ares-I 
Roll Control System (RoCS) propellant margins (at about 8%) were lower than the 20% margin typically desired at 
the time of the System PDR design milestone. 

The issues that were identified by the IRT were grouped into four broad themes and summarized in a NESC 
White Paper provided to CxP program managers and others. The items discussed in the NESC White Paper fell into 
all three categories of technical issues that the IRT was charged to identify. The first theme identified issues that 
were lacking the technical maturity required for a PDR. The areas of Launch Abort Vehicle (LAV) performance in 
the transonic flight regime, updating of the integrated Probabilistic Risk Analysis (PRA) model, regression test 
planning, incorporation of human factors to support design trades and studies, and the mismatch of Program and 
Project maturity levels fell within this category. The recommendations included pursuing engineering solutions at 
this early stage of the design process and saving operational changes for later as the program matures and when 
design changes can be prohibitively expensive to implement. 

The second theme addressed uncertainty in models and simulations. The GN&C Technical Fellow and the 
GN&C TDT members felt the interpretation, quantification, and application of model and data uncertainty were 
especially important areas to be addressed by both CxP managers and engineers. It is acceptable to have uncertainty 
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in models and simulations, but quantifying the uncertainty and clearly communicating the model uncertainty to 
perform trades and to make informed decisions of risk needs to be emphasized. 

Mathematical models, and their associated data sets, are used to capture and represent the current state of 
knowledge of system physical behaviors in every element of the CxP architecture. These models and their 
supporting data are exercised to analyze and predict system sensitivities, performance against requirements, factor of 
safety/stability margins, risks and overall mission success. 

It is a recognized and accepted reality that these models and their data have limitations. Some models have 
insufficient experimental data to precisely characterize a probability distribution of critical model parameters and 
features. In other cases there is only poor or limited understanding of the underlying physics phenomena or physical 
coupling between system elements or between sub-elements. Beyond our inability to completely understand the 
dynamics of a given problem there is also the reality that there will be both variability in the physical 
features/parameters of the as-built flight systems and additional variability in the operational environments 
encountered during manufacturing and assembly, ground operations, and mission operations. All of these aspects 
need to be accommodated and quantified in an uncertainty framework by the engineers using the models/data. 

Various methods and approaches have been used across CxP and its elements to characterize the uncertainty in 
these models and their supporting data. The NASA-STD-7009 for Models and Simulations was developed to help 
NASA programs/projects consistently address the challenges of documenting, analyzing, and communicating 
uncertainties, and several other modeling and simulation issues in the Agency. The NASA-STD-7009 also requires 
clear documentation and communication of model assumptions to decision makers. Reporting uncertainties in 
model inputs and outputs is required for critical analyses, and data/model uncertainty quantification are factors in the 
credibility assessment scale (CAS) review. The CAS review provides a common framework to evaluate models and 
simulations. 

However, there is not a consistent interpretation of uncertainty across the CxP architectural elements, and 
NASA-STD-7009 does not address inconsistency in model uncertainties across a set of analyses within a Program. 
This is a concern since having a proper and consistent application of model/data uncertainties is fundamental to 
providing CxP decision makers with informed risk analysis information. Consistency is especially important where 
CxP decision makers are seeking to trade risk across architectural elements, across system elements, and across 
technical disciplines. Furthermore, flight system designs can be excessively over-conservative if modeled 
uncertainties are significantly higher than the variations or unknowns of the physical system. Conversely, designs 
can be at risk of failure if modeled uncertainties are lower than the actual variations of the physical system. Input 
data uncertainties are included in the integrated Loss of Crew/Loss of Mission (LOC/LOM) models, and the PRA 
results include reporting uncertainty ranges using 5 th and 95 th percentiles. 

An example of the model uncertainty issue is that a recent aerodynamic database model uncertainty distribution 
change resulted in a reduction of the LAS Attitude Control Motor (ACM) control authority in the transonic flight 
regime (M=0.9-1.3, 35-47 sec MET) and this has driven the need for the CxP to investigate alternative means of 
improving performance of the LAV (e.g. adding ballast mass). In parallel, special wind tunnel tests are being 
pursued in an effort to lower the uncertainties in the aerodynamic database. 

There is some level of recognition that the application of model/data uncertainties needs to be improved within 
CxP and certain teams are actively working the issue. It is not clear however that the current practice of inconsistent 
interpretation and application of uncertainty across CxP has been elevated sufficiently high and captured as an 
integrated risk for the Program. A common uncertainty framework for all CxP elements that is consistent with 
NASA-STD-7009 would provide needed consistency and rigor in addressing the issues associated with model/data 
uncertainty. Per NASA-STD-7009, reporting uncertainties in model inputs and outputs is required for critical 
analyses and data/ model uncertainty quantification, documentation, and communication are factors in the CAS 
review. 

There is one last NESC observation on modeling and simulation that emerged from the CxP PDR process. Even 
with all the great work in models and simulation, a trap can occur where there is an overreliance on these models 
and simulation. This can occur because the people who are doing the day-to-day problem solving become so caught 
up in working with the models and trying to reduce and define the uncertainty associated in the models on their own. 
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These engineers need to remember to periodically step back from the problem to apply objective engineering 
judgment to ‘sanity’ check their analytical results, perhaps in a peer review forum, to ensure the basic laws of 
physics and engineering are not violated. Also, by engaging the critical end users in the process of quantifying 
model uncertainties, and by periodically re-evaluating their assumptions and processes, engineers can avoid this 
trap. 

The third theme addressed in the NESC White Paper deals with disconnects in the level of maturity between 
project elements and interfaces. The last theme discussed the process of identifying test needs. The IRT noticed a 
perception that some testing was not being pursued due to reasons of cost or schedule even though the test might 
significantly buy down risk. The development of a list of minimum required tests (i.e., an ‘incompressible’ test list) 
was recommended. 

This particular experience reminded all the teams involved that an independent review can provide a fresh 
perspective that is not biased by long-term involvement with the project or program. The Face to Face Integration 
Reviews, led by the respective Phase Fead Engineers, was a tremendously valuable first step in the overall CxP PDR 
process. For the CxP PDR, the IRT worked with the Program and Project personnel to identify new issues or issues 
that the Program knew of, but did not have the right management visibility. More importantly, the IRT provided 
recommendations that should be pursued. 

C. Orion Ascent Abort One (AA-1) Loads Assessment 

In April 2009 the Systems Engineering Integration Team Fead in the Orion Test Flight Office requested that the 
NESC perform an independent assessment of Ascent Abort One f AA-1) coupled loads analysis performed in support 
of AA-1 Foad Cycle- 1 (EC- 1). 

Based on data from AA-1 FC-1, there were concerns regarding the high-load levels predicted during vehicle 
separation, twang, ascent, and maximum dynamic pressure (Max Q). The NESC Team was tasked to perform an 
independent review of data and provide consultation on the analysis approach and associated assumptions, 
limitations, and uncertainties. The intent of the NESC review was to thoroughly scrub all aspects of FC-1 and then 
provide findings, observations and recommendations for any changes to be incorporated into the follow-on effort, 
Foads Cycle-2 (EC -2). The NESC Team was not expected to provide an independent load analysis unless significant 
issues were identified. 

Figure 5 provides an illustrative comparison between the Pad Abort one (PA-1) flight test configuration and the 
AA-1 flight test configuration. The AA-1 FAV system includes the FAS, FAS Fairing Assembly (FFA), and Crew 
Module (CM). The AA-1 abort flight test will launch from the White Sands Missile Range. During the boost phase, 
the FAV will be connected to the Abort Test Booster (ATB) through the separation ring (SR). The ATB will boost 
the FAV to an altitude of nearly 38,000 feet before separation of FAV from ATB/SR. The FAV Abort Motor (AM) 
and ACM will ignite and burn for less than five seconds. Then the FAS will separate from CM, and the CM will 
descend via parachute to a soil landing. 

The critical loads for the FAV occur during the motor burn, parachute deployment, and landing. However, FC-1 
covered only the motor burn phase, which included FAV separation from the ATB, ignition of the Abort Motor, and 
flight up to Max Dynamic Pressure (MaxQ). 

Several members of the GN&C TDT, together with members of the NESC Flight Mechanics TDT, supported 
this assessment by investigating and reporting on the technical features of the ATB boost phase flight control system 
and other aspects of the AA-1 GN&C system design that influenced the vehicle loading during flight. In particular 
the GN&C and Flight Mechanics TDT members concentrated on how the Monte Carlo analysis of the AA-1 boost 
phase and resulting separation conditions was performed. 

The team determined that FC-1 was adequate as a preliminary set of initial design loads for AA-1 considering 
the number of uncertain or undefined parameters in structure, aerodynamics, event timing, etc. that existed at the 
time of the analysis. Given these qualifiers, it is not surprising that numerous areas were noted where improvements 
could be effected in FC-2. 
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Figure 5. Comparison of PA-1 and AA-1 flight test configurations 

Some of the items the NESC team found necessary to be corrected or implemented for LC-2 to produce a 
complete set of detailed design loads and thorough structural assessments included: 

> Develop a Project Technical Requirements Document that specifically defines AA-1 hardware functional and 
design requirements, environmental requirements, interfaces with other hardware, etc. 

> Document the use of uncertainty factors or dispersions in the various LC-2 inputs to the analysis for 
concurrence by the responsible technical panels and the Orion FTO. 

> The thrust alignment/offset dispersions of the abort motor should be clearly defined ( 1 degree was arbitrarily 
used). 

> The AM thrust offset dispersions to be used in the in LC-2 analysis should include such factors as 
temperature distortions, assembly tolerances, as alignments. 

> The boost phase Monte Carlo analysis should be used to define the required range of initial flight conditions 
at separation for the loads analysis in LC-2. 

> The full specified range of allowable center of gravity (CG) locations should be explored in LC-2. 

> A sensitivity analysis should be performed to check the effect of extreme “corner of the box” CG mass 
properties on modal characteristics. 

> Propellant mass changes should be included in the LC-2 analysis as those changes affect both structural 
dynamics and CG shifts. 
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D. Orion Crew Module Boilerplate Water Drop Test Assessment Support 


In October 2009, the NESC initiated an assessment to perform the specific tests and analyses needed to provide 
the necessary verification to correlate LS-DYNA® simulation results with data collected during multiple water drop 
tests of a full-scale Orion Crew Module (CM) boilerplate test article. The LS-DYNA® code is an advanced general- 
purpose multiphysics simulation software package developed by the Livermore Software Technology Corporation 
(LSTC) which has been used to design the Orion CM structure. The LS-DYNA® software package, which employs 
finite element analysis methods using explicit time integration, is especially well suited for the simulation of highly 
nonlinear transient dynamic events such as the impact dynamics of the CM structure when it lands in water. The 
nonlinear effects typically manifest themselves as changing boundary conditions, relatively large material 
deformations, and certain materials that do not exhibit ideally elastic behavior. Transient dynamic means analyzing 
high speed, short duration impact events where inertial forces are important. 

The fundamental structural design simulation tool for the Orion Project was LS-DYNA, which was specifically 
developed to accommodate non-linear load paths, as occur during water impacts. The NESC Assessment Team 
surveyed readily available LS-DYNA literature on the use of the tool to model water impacts, and assessed that 
some of the techniques used are not deterministic but rely on manipulation by the analyst. Experimental data was 
required to anchor LS-DYNA analyses of water impacts to mitigate the risk of the sort of impact damage seen 
during Apollo drop tests. A strong motivation for these NESC-sponsored tests is that there is a very limited number 
of landing impact tests in the Orion Project plan planned to support the CM primary structure development and 
qualification. The Orion Project had concerns regarding the possibility that significant uncertainties would remain 
in the landing load environment, resulting in an unknown structural capability and an inability to achieve structural 
certification for flight. Since LS-DYNA is being used to establish the structural design of Orion, this program and 
other NASA programs are critically dependent on the validity of the answers generated by the tool. This 
independently performed and fast paced series of drop tests, and the subsequent detailed evaluation of the data 
collected, are intended to support risk determination for the Orion Project and NASA, potentially influencing future 
CM testing plans and design options. This particular NESC assessment is contributing to the ultimate NASA goal of 
developing an integrated landing system design, with a mass -optimized space capsule structure, that will attenuate 
the impact loads transmitted to the crew to non-injurious levels. The key stakeholders for this assessment are the 
Orion Project team and the NASA Office of Chief Engineer. 

The NESC’s MLAS CM simulator (boilerplate) was identified as a rapidly available test article. This test article 
was instrumented in two phases, and tested via crane drops into water. Instrumentation included multiple inertial 
sensors, photogrammetric targets, pressure transducers, and strain gauges. The first phase of drop tests were 
performed at the U.S. Army’s Aberdeen Proving Ground located in Maryland. The test article was hoisted via a 
crane to a pre-determined level and then released to drop into the water (see Ligure 6). In Phase I of this drop test 
assessment, a total of eighteen (18) drops were conducted : fourteen (14) were dropped from a height of ten feet and 
the remaining four (4) were “low energy” drops released at a height of eight (8) feet. 

Members of the NESC GN&C TDT were requested to support both the generation of quick-look, in near realtime, 
inertial sensor data products as well as to perform the more detailed post-test processing and analysis of the water 
drop test data generated by multiple inertial sensors. The GN&C TDT members augmented the existing drop test by 
bringing the necessary skills and expertise to understand, convert, transform, format, process, and analyze data from 
the multiple gyroscopes and accelerometers mounted on the test article. The inertial sensors included four tri -axial 
accelerometer packages, two packages mounted very near the CM test article’s center-of-gravity and the other two 
mounted near the apex of the test article’s apex. There were also individually mounted Analog Devices® single-axis 
Micro Electro-Mechanical Systems (MEMS) angular rate sensors (gyroscopes) as well as a Crossbow Technology® 
AHRS400CC solid-state Attitude and Heading Reference System containing both a full 6-Degree of Freedom IMU 
and an internal Kalman filter. These inertial sensors were mounted inside the CM test article on an aluminum 
structural crossbeam (see Figure 7). 
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Figure 6. Orion CM boilerplate water drop test at Aberdeen Proving Ground 



Figure 7. Inertial sensor instrumentation mounted inside CM test article 


Acceleration data was collected using analog sensors with a bandwidth of 1000 Hz, which was then sampled at a 
rate of 13,888 Hz, embedded in a telemetry stream, and recorded. A representative example of the raw data collected 
is the longitudinal axis (x-axis) acceleration vs. time data plot is presented in Figure 8. Quick-look analysis of the 
acceleration data collected revealed a noise floor at approximately -15dB along with the undesired presence of 
several unwanted CM structural modes, in particular the structural modes of the aluminum crossbeam on which the 
sensors were mounted. The flexible body modes can be seen in Figure 8 over the range from 100 Hz - 1000 Hz with 
the peak flexible mode response occurring at 375 Hz at approximately +8dB. A proper analysis of the acceleration 
data therefore required the attenuation of unwanted high frequency structural “noise” while keeping the low 
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frequency test article rigid body information and the all-important relatively short duration (150 milli-second) 
splashdown transient. So, in addition to performing all the necessary data conversions, re -formatting, and coordinate 
transformations of the various inertial data sets collected, the GN&C TDT contingent spent a great deal of time and 
effort studying and eventually selecting the type and order of digital filter that would sufficiently attenuate the high- 
frequency structural ringing effects from the desired rigid body motions. 

A third-order Low Pass Filter (LPF) was initially selected to filter the raw accelerometer data collected. This 
LPF had two second-order poles each at 75 Hz and a single first-order pole at 85 Hz. The second-order poles had a 
0.7 damping ratio. The continuous form of the LPF (see Eq.l for this representation) was then converted to a digital 
LPF via the standard bi-linear transformation using a sampling period of 73.5 micro-seconds. 


fipM = 



{A) + 2 <4 + 1 


(1) 


Figure 9 shows the result of digitally low pass filtering the raw x-axis accelerometer data. Clearly the flexible 
body effects are significantly reduced leaving a signal more closely representing the CM rigid body response. After 
much further technical deliberation with the LY-DYNA® users a 6 th -order LPF, applied in one direction only, was 
selected by the GN&C team to perform the necessary attenuation. Another significant effort concerned 
determination of the test article’s pre-drop initial conditions. Photogrammetric data was utilized to both define the 
initial conditions and the gyroscope drift and bias estimates. The GN&C TDT members provided sufficient 
processed inertial sensor test data to permit the comparison and verification of the LY-DYNA simulation results. 
Phase II water drop test with improved inertial instrumentation are planned for early FY201 1. 
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Figure 8. Representative raw X-axis CG#1 accelerometer data from CM water drop test 
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X-axis Accel, CO #1 Filtered 



Figure 9. Low pass filtered X-axis CG#1 accelerometer data from CM water drop test 


E. Assessment of Orion Slosh Impact On Ares-I Flight Control System Stability 

The deleterious effects of propellant sloshing on launch vehicle stability have been long recognized by flight 
control system designers. Slosh dynamics were carefully considered on both the Apollo Saturn-V launch vehicle and 
the Space Shuttle launch vehicle. The term “sloshing” is used here to describe the phenomenon of the free surface 
oscillations of the fluid (either fuel or oxidizer) in a partially filled tank. 

In December 2009 the NESC GN&C TDT was asked to assess the impacts of the Orion Service Module (SM) 
slosh dynamics on the Ares-I crew launch vehicle flight control system stability and performance. Figure 10 depicts 
the Ares-1 launch vehicle shortly after liftoff from Kennedy Space Center. The NESC assessment team sought 
answers to two fundamental questions: 1) Assess conservatism in Marshall Space Flight Center’s (MSFC’s) Ares-1 
GN&C impact analysis of Orion SM bare tank slosh dynamics and 2) Determine if the MSFC GN&C team can 
design an Ares-1 flight control system which accommodates the 0.03% Orion SM bare tank slosh mode damping 
and satisfies all stability robustness and performance requirements. Given the short time duration of this assessment 
the NESC did not perform any independent GN&C modeling, simulation, or analysis. Rather the focus was placed 
on understanding the details of the Ares-1 GN&C modeling, simulation and analyses performed by the MSFC flight 
control engineers. 

Stabilizing the Orion SM slosh mode dynamics on top of the Ares-1 flexible -body and LOX/LH2 slosh 
dynamics poses a challenging flight control design problem for MSFC. Extremely low values of Orion slosh 
damping emerged as early as lune 2009 as a key driver in the Ares-1 GNC design. The NESC first became fully 
aware of the sensitivites of the Ares-1 Flight Control System (FCS) design to the extremely lightly damped Orion 
slosh dynamics in November 2009. This occurred at the CxP Ascent/Ascent Aborts Integrated Phase Review held at 
JSC as a precursor to the CxP System-level PDR board. This was true cross-Project system engineering and 
interation issue between Orion and Ares. At that time, as a minimum, it was recomended that a new CxP Program- 
level risk be created and tracked within the CxP Integrated Risk Management Assessment (IRMA) framework to 
provide visibility of theOrion/Ares slosh problem. 


16 


Several elements of the risk posed by this slosh issue were to be included in this new IRMA risk item, including: 


> Risk to Ares GNC resources and schedule 

> Lack of flexibility to accommodate future Ares vehicle challenges, changes, & opportunities 

> Loss of Ares capability to accommodate failures 

> Risk for meeting program stability and margin requirements 

> Risk for increased structural loads 

> Loss of significant robustness and hence safety 

> Risk to Ares’ ability to certify GNC for flight readiness 



Figure 10. Artist’s concept of Ares-1 launch vehicle shortly after liftoff 

The challenge for the Ares-1 flight control system designer is to simultaneously meet the stability margin 
requirements cited above and the linear step response requirements. There are other high-level flight performacne 
requirements that also must be satisfied but these were the one of most interest to the NESC assessment team. 
Lastly it should be noted that no minimum fluid slosh damping rerquirements were ever placed, by the Ares-1 
Project, on the Orion Project’s SM fuel and oxidizers fluid/tank system. 

The Ares GNC7 design cycle analysis, completed by MSFC flight control engineers in June 2009 had indicated 
Ares-1 FCS sensitivites to Orion SM fuel and oxidizer slosh dynamics. The problem was attributed to two major 
factors: 1) the Orion’s SM fuel and oxidizer tanks are partially filled, resulting in a significant sloshing mass, and 2) 
the Orion SM tanks have very smooth bare walls. Slosh mode damping values, determined using the industry- 
standard NASA SP-106 handbook (Reference 2) methodology were computed to be an order of magnitude below 
NASA heritage. The NESC team performed a a comparison of the Orion SM slosh damping values with the Ares-1 
launch vehicle slosh damping values and legacy slosh damping values from the Space Shuttle Program and the 
Apollo Saturn launch vehicle. The empirically computed 1-g minimum slosh mode damping value for the Orion 
Nitrogen Tetroxcide (NTO) oxidizer tank was 0.0003 or 0.03%. Likewise the empirically computed 1-g minimum 


17 



slosh mode damping value for the Orion Monomethyl Hydrazine (MMH) fuel tank was 0.0006 or 0.06%. The 
NESC assessment team verified these empirical 1-g calculations of damping values. 

The MSFC Ares-1 flight control team was unable to develop a design that would meet stability robustness 
requirements using the 0.03%. (for NTO) and 0.06% (for MMH) damping values. The Ares-1 flight control team was 
given action to quantify impacts to their FCS design due to the extremely low Orion SM tank damping values. 
Subsequently multiple Ares-1 FCS redesigns were performed to accommodate partially filled, low-damped Orion 
SM tanks. In order to achieve the required stability margins for both first stage and upper stage flight in the GNC7 
Ares-1 design cycle the Orion SM tank slosh damping values were arbitrarily increased from the empirically 
calcualted smooth wall 0.03 - 0.06% damping values to a damping value of 0.5%. At the time the NESC assessment 
was initiated these Ares-1 analyses were only in a preliminary state and it was recognized that another full Ares-1 
GNC design cycle (i.e., the GNC 8 cycle) would be required to fully quantify the flight control issues and impacts. 
In particular it was noted that the impacts on the slosh dynamics due to many routine transient events such as liftoff 
“twang”, stage separation, FAS jettison, SM panel deployment, the ullage settling motor firings, and potental 
interactions with the non-linear RCS roll axis controller, had not yet been studied. 

As depicted in Figure 11 the flight control system architecture for the Ares-1 consisites of a classical 
Proportional-Integral-Derivative (PID) controller design with loop shaping compensation (i.e. digital filters) to 
provide phase and gain stabilization of the flexible body modes and/or fluid slosh modes. The “Proportional” term 
determines the controller response to the currently sensed error, the “Integral” term determines the response based 
on the sum of recent errors, and the “Derivative” term determines the reaction based on the rate at which the error 
has been changing. The weighted sum of these three different control actions is used to generate the Thrust Vector 
Control (TVC) command for the next control cycle. The PID controller gains and the filter parameters are all gain 
scheduled which is consistent with industry practice. 

The pitch and yaw axes TVC system controllers share this common system architecture. The Ares-1 roll axis 
controller takes a different form and is a non-linear phase-plane RoCS thruster-based controller quite different from 
the TVC pitch and yaw controllers. The roll controller has been developed from legacy Shuttle and ISS phase-plane 
controler designs. 

Table 1 summarizes the Ares-1 flight control system stability gain and phase margin requirements for the low- 
frequency rigid body/aero/slosh condition as well as for the cases where the flexible body modes of the launch 
vehicle are either gain or phase stabilized. Traditionally the gain and phase margin are used as control system 
stability robustness metrics and they represent a tolerance to both plant, disturbances and environment uncertainties. 
The requirements shown in Table 1 are consistent with industry practice. Note that under fully dispersed conditions 
the minimum rigid body/aero/slosh gain and phase margin requirements are suitably lowered to 3 dB and 20 
degrees, respectfully, but are not dropped to zero as done on some projects. The establishment of diminished but 
finite dispersed gain and phase margins in this manner is especailly prudent given the developmental nature of the 
Ares-1 launch vehicle. These Ares-1 stability margin requirements listed in Table 1 are very similar to and one can 
most likely trace their origin to, the stability gain and phase margin requirements levied on the Space Shuttle launch 
vehicle which are shown in Table 2. 
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Figure 11. High-Level Ares-1 FCS architecture 


Table 1. Ares-1 FCS stability margin requirements 



Rigid Body, Aero, Slosh 

Flex 

Gain 

Margin 

(dB) 

Phase 

Margin 

(deg) 

Phase Stabilized 
Flex Modes 

Gain Stabilized 
Flex Modes 

Phase Margin (deg) 

Gain margin (dB) 

Nominal 

>6 

>30 

>45 

>10 

Dispersed* 

>3 

>20 

>30 

>6 


'Assumed 99.73% of cases meet criteria with 10% consumer risk for an allowable failure rate of 0.1% or less in 
Monte Carlo analysis. 


Table 2. Space Shuttle launch vehcile FCS stability margin requirements 


Parameter 

Condition 

Nominal 

Dispersed 

Rigid Body GM (dB) 

6 

3 

Rigid Body PM (deg) 

30 

20 

Slosh Mode PM (deg) 

25 

15 

Slosh Mode GM (dB) 

6 

3 

Flexible Body Mode Attenuation (dB) 

10 

6 
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The Ares-1 gain and phase margin definitions for rigid body, slosh, and flex body dynamics are notionally 
illustrated in Figure 12 (first stage example) and Figure 13 (upper stage example). The red regions reflect +6 dB gain 
and +30 deg phase from the critical stability point. Lower frequency gain margins (rigid/aerodynamics and slosh) are 
defined at the 180 deg phase crossover, while required high frequency flex gain attenuation is defined as peak gain, 
measured from the 0 dB axis. For Ares-1 phase stabilized flexible modes, both lead and lag phase margins are 
defined. The general design philosophy for Ares-1 first stage flight is to robustly phase stabilize the first flexible 
mode, and robustly gain stabilize the 2 nd and all higher flexible modes. The design approach for upper stage flight 
control is to have all vehicle flexible modes be gain stabilized. 



Ph*t«<d*g) 


Figure 12. Notional depiction of Ares-1 FCS gain and phase margins 
(First stage example) 

Figure 14 depicts, for a specific ISS misssion case, the control system, flexible body, and slosh mode frequencies 
as a function of time, with uncertainty included, over the period from launch to 600 seconds after launch. This figure 
graphically illustrates the challenges of designing a control system for first stage powered flight. The lanch vehicle 
flexible body dynamics must be stabilized by the FCS throughout flight. A large percentage of the vehicle mass is 
composed of propellant which is consumed during the boost phase. This loss of mass significantly changes the 
structural dynamics as propellant is depleted. For most fill levels, slosh frequency scales proportionally with vehicle 
acceleration and damping scales inversely. The Ares-1 first stage maximum acceleration is about 3 g’s, which 
results in increased slosh frequencies and decreased damping. Stability issues can occur with this shift in Orion slosh 
frequency under the influence of the lancuh vehicel 3 g acceleration. 
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Upper Stage LOX Mode Phase Stabilized, 
As with Shuttle 



Figure 13. Notional depiction of Ares-1 FCS gain and phase margins 
(Upper stage example) 

The potential for destabilizing Ares-1 flexible body mode dynamic coupling and interaction with Orion NTO and 
MMH slosh modes is apparent from an examination of Figure 14. The Ares-1 full-stack structure first flexible mode 
frequency is very near the same frequency as the Orion SM slosh modes which can cause decreased margins and 
difficulty in filter design. The MSFC team pointed out that the NASA SP-8031 “Slosh Suppression” guidelines 
document (Reference 3) recommends separation between the flexible body and fluid slosh mode frequencies to 
minimize flex body/slosh dynamic interaction. 

During this assessment questions were raised by the GN&C TDT members regarding the implementation details 
of MSFC’s linear spring-mass slosh mechanical model used in their MAVERIC 6-Degree of Freedom (DOF) 
simulation. There was discussion comparing linear versus non-linear slosh modeling. This topic arose after the 
NESC team requested to see output data on the slosh amplitudes seen in MSFC simulations. The need for and the 
potential benefits of a non-linear slosh model were discussed 

Plans for a Ares-1 GNC mini-design cycle where the stability margin and performance sensitivities will be 
evealuated over a range of Orion damping values from 0.1% to 0.5% were also discussed. The stated objective was 
to determine if there is knee in the sensitivity trend curve at a damping value less than 0.5%. 

Over the period from mid-December 2009 to early February 2010 the NASA Technical Fellow for GN&C, along 
with several members of his GN&C TDT, met multiple times with the MSFC Ares-1 GN&C team. The following 
items were reviewed by the NESC assessment team: 

• Ares-1 GN&C architecture 

• Ares-1 GN&C stability and flight performance requirements 

• Legacy GN&C references from Saturn 

• Analysis methodology and tools 
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• Analytic assumptions 

• Uncertainty assumptions 

• Modeling techniques 

• The technical interaction/model data transfer between the Orion team and Ares-1 GN&C team 

• Analysis results, both frequency domain & time domain 

The MSFC Ares-1 GN&C Team has used technically sound and appropriate (traditional industry standard type) 
analytical methods to assess the impact of the very lightly damped (0.03%) Orion slosh mode. The depth of the 
MSFC team’s technical rigor, physical understanding, and problem insights was clearly apparent. 
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Figure 14. Ares-1 flight control, flexible body, and slosh mode frequencies vs. time 


Specifically regarding the level of conservatism in the MSFC slosh analyses the NESC assessment team 
concluded the following: 

> The Orion estimates of propellant slosh damping ratios in the Orion SM tanks of 0.03% (NTO) to 0.06% 
(MMN) are generally consistent with calculations using industry standard and historical techniques, and do 
not appear to be overly conservative. 

> The Orion provided pendulum mechanical models for Orion SM propellant slosh provided to the Ares I 

personnel, and the integration and use of those models in the Ares I MAVERIC 6-DOF simulation and 
linear analysis tools are generally consistent with industry standard and historical techniques, and do not 
appear to be overly conservative. 
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However, it was also observed that the MAVERIC 6-DOF simulation tool used by the Ares-1 flight control 
engineers at MSFC does not clearly flag cases in which the displacement of the point mass used in the Orion SM 
tank slosh spring-mass mechanical model exceeds the maximum displacement consistent with the linear fluid slosh 
fundamental mode on which they are based. The NESC team felt strongly that this transition point between the 
linear slosh regime and the non-linear slosh regime must clearly be identified. 

For linear fluid slosh at the fundamental slosh mode to occur, there is a generally accepted rule of thumb that the 
maximum height of the fluid wave at the outer wall of the tank should not exceed approximately 10% of the radius 
of the tank. For greater fluid wave heights, the fundamental anti -symmetric slosh wave tends to break apart into 
more complex wave shapes because of splashing and breaking of the waves, causing the amount of mass that 
continues to slosh at the fundamental mode natural frequency to be reduced. Using the linear mechanical slosh 
model beyond this linear range could result in overly pessimistic predictions of the forces imparted on the tank walls 
by the propellant slosh. 

The Southwest Research Institute (SwRI) SFOSH tool computes an estimate of the ratio of the maximum fluid 
wave height at the tank outer wall to the maximum amplitude of the pendulum mechanical model. For the Orion 
propellant tanks at the nominal lunar and ISS mission fill levels, the SLOSH tool predicts that ratio to be 
approximately 1.5. That is, the maximum fluid wave height at the tank outer wall is approximately 50% larger than 
the maximum amplitude of the pendulum mechanical model. Since the Orion propellant tanks are 50 inches in 
diameter, 10% of their radius is equivalent to a maximum wave height at the tank outer wall of approximately 2.5 
inches, which when divided by the ratio of wave height to pendulum displacement, yields a maximum pendulum 
amplitude (or the equivalent spring-mass displacement) of approximately 1.7 inches. 

Until the recent design cycle, the Ares-1 MAVERIC 6-DOF simulation did not have the capability to output the 
time history of the Orion SM tank slosh spring-mass displacement. Only the statistics for maximum amplitude 
could be examined. However, prior to the analyses of the current design cycle, the simulation was modified to 
output time history data of the slosh model spring-mass displacement. Initial evaluations of the nominal and typical 
Monte Carlo time history data does appear to suggest that the Orion SM tank slosh spring-mass displacements may 
be beyond the maximum allowable range for linear slosh models. 

Based on this initial finding the NESC team recommended that MSFC review all MAVERIC tank slosh 
displacement data (nominal as well as Monte Carlo dispersed) to confirm operation within the linear range of the 
spring-mass mechanical models. 

As mentioned above the MAVERIC 6-DOF simulation used for the current Ares I GN&C design cycle was 
modified to provide output time history data for the displacement of the spring-mass Orion tank slosh dynamics 
model. A comprehensive review of the tank slosh spring-mass displacement for nominal missions as well as Monte 
Carlo simulation ensembles should be performed to confirm whether the slosh model is operating within its linear 
range. Preliminary data provided for the slosh spring-mass displacement time histories has indicated that for low 
slosh damping, the Monte Carlo dispersed trajectory data does show significant intervals of operation of the Orion 
tank slosh dynamic model beyond its linear range. 

Figure 15 shows a sample plot of the displacement of the spring-mass corresponding to the Orion NTO tank for a 
Monte Carlo run of mission TD71, using 0.1% tank slosh damping. In the figure, the red line indicates the nominal 
mission spring-mass displacement, while the blue lines indicate the 2000 Monte Carlo runs. The black horizontal 
line shows the approximate limit of 0.14 feet (or 1.7 inches) for operation of the slosh model in its linear range. 
Clearly there are significant time intervals where the tank slosh displacement exceeds the maximum limit for linear 
operation for the dispersed cases, although the nominal simulation run shows operation well within the linear range. 

The GN&C TDT members of the assessment team recommended that a comprehensive review of existing 
MAVERIC simulation data should be reviewed to determine the extent at which the current Orion tank slosh spring - 
mass mechanical models may be operating outside of their linear range. Following such an analysis, the Ares I 
personnel may consider developing and using non-linear tank slosh dynamic models. Recent technical discussions 
of the NESC assessment team with representatives from United Launch Alliance have suggested that such non- 
linear tank slosh models have been developed for use with large tank slosh mechanical model displacements and 
have been used in their tank slosh analyses, which may be of use to the Ares I analysis of Orion tank slosh. 
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Therefore, it was also recommended that MSFC consider the development and use of non-linear tank slosh 
mechanical models for the Orion SM propellant tank slosh. The NESC team observed that the displacement of the 
Orion tank slosh spring-mass mechanical models may be operating beyond the linear range at which they are 
considered to be valid mechanical representations of Orion tank slosh dynamics. It was recommended that the Ares 
I personnel should consider implementing non-linear tank slosh mechanical models in their MAVERIC 6-DOF 
simulation and linear analysis tools to provide higher confidence in their predictions of the effects of Orion SM tank 
slosh on the Ares I vehicle controllability. 
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Figure 15. Orion Upstream NTO tank slosh displacement (0.1% damping; TD71 mission) 

The primary recommendation of the NESC team was for CxP to modify Orion propellant tanks to increase 
damping. Any concerns raised about the “degree of confidence” in the Ares I / Orion SM tank slosh dynamics 
models used for the analysis of the effects of Orion tank slosh on Ares I controllability are largely related to 
uncertainties caused by the very low damping ratios predicted for the Orion SM tank slosh. For example, operating 
those slosh mechanical models within their linear range and the effects of lateral tank excitation near the fluid slosh 
fundamental mode natural frequency are largely affected by the low damping, and increasing that damping by an 
order of magnitude or more, would help improve the confidence in the applicability of those slosh mechanical 
models. 


F. Kepler Recurring Anomalies 

In January 2010 the NESC was requested to support an investigation into recurring anomalies onboard the 
Kepler spacecraft. This spacecraft, launched on March 7, 2009, is depicted in Figure 16. The Kepler Mission 
(NASA Discovery mission #10) is specifically designed to survey our region of the Milky Way galaxy to discover 
hundreds of Earth-size and smaller planets in or near the habitable zone and determine how many of the billions of 
stars in our galaxy have such planets. Results from this mission will allow us to place our solar system within the 
continuum of planetary systems in the Galaxy. 

At the time of this request the spacecraft had been in routine science operations returning high quality science 
data for over nine months since operations began on May 12, 2009. The spacecraft had experienced a number of 
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anomalies that have interrupted science data collection, but was operating well within its margins throughout the 
Science Operations mission phases and was still meeting its science requirements. However, while Kepler had not 
experienced any spacecraft emergencies it had experienced a number of star tracker related anomalies. 
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Figure 16. Kepler spacecraft and photometer 

The GN&C Technical Fellow and members of the GN&C TDT supported this NESC assessment of the Kepler 
anomalies. The NESC team reviewed the spacecraft’s general operations philosophy, current analysis of the 
anomalies, the timelines and fish-bones generated, the mitigations undertaken or under consideration, and the effects 
of the mitigations. The team also studied the mission’s anomaly response and resolution process as well as the 
available anomaly statistics. The planned paths to get to the root-cause of the anomalies, the remaining work to 
bring anomalies to closure and any residual risks were also investigated by the NESC team. 

The scientists using the Kepler data prefer long and stable data segments to perform their search for planetary 
transits. The mission design therefore requires only simple periodic operational interactions with the Kepler 
spacecraft. There are three key operational activities performed by the Kepler Flight Operations Team (FOT): 1) 
semi-weekly health and safety contacts, 2) monthly science data downloads via contact with NASA’s Deep Space 
Network (DSN), and 3) quarterly roll maneuvers. The Kepler photometer instrument stares at same field for entire 
mission. The science target location is redefined on the photometer’s Charge Coupled Devices (CCD’s) after each 
quarterly roll. There are also small sets of science target changes for Guest Observers and for higher resolution 
observations. 

Kepler is a data-driven mission, so data completeness is key to mission success. There are two key data 
completeness requirements to be satisfied. The first is the 92% requirement for Onboard Data Completeness. This 
requirement essentially has to do with how much of total operational time is the spacecraft actually collecting 
science data. It is influenced by numerous factors, including the time spent off-pointing to downlink science data, 
the time needed to perform the quarterly rolls, the time needed to unload excess reaction wheel momentum and the 
time the vehicle spends in safe mode events or other anomalies. The second major requirement is the Flight-to- 
Ground Data Completeness metric of 99% which directly has to do with how much of the science data collected 
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onboard actually reaches the mission’s data archive. This requirement is primarily impacted by the quality of the 
DSN space-to-ground link performance and the ability for data retransmission. 

Since it so fundamentally drives the attainment of the Onboard Data Completeness requirement, the NESC team 
first considered the Kepler FOT team’s anomaly response philosophy. The response to a vehicle anomaly is guided 
by a realistic and pragmatic three-tiered priority philosophy. The first priority is to ensure vehicle safety by 
preserving functionality, including on-board fault protection. The second priority is to resume science data 
collection while the anomaly investigation proceeds in parallel. The third priority is to mitigate against further 
occurrences of the anomaly in order to reduce the threat of future loss of science or spacecraft functionality. The 
Kepler engineers budget for the potential loss of up to twelve days of science data collection per year from safing 
events. 

Since operations began on May 12, 2009, as of January 2010, the Kepler spacecraft has entered safe mode three 
times (June 15 th , July 2 nd , and November 18 th 2009) and the loss of the FINEPOINT attitude control capability 
needed for science data collection has also occurred three times (August 13 th , September 14 th , and October 9 th 
2009). Entry into safe mode is a pre-planned self-protective measure that the spacecraft takes when something 
unexpected occurs onboard. During safe mode, the spacecraft points the solar panels directly at the sun and begins to 
slowly rotate about a sun-aligned axis. The spacecraft automatically powers off the photometer and one redundant 
subsystem as a safety precaution. Shortly following the November 18 th safe mode entry the FOT engineers 
immediately began telemetry analysis to determine spacecraft subsystem health and root cause determination of 
what triggered the safe mode. This was the third Safe mode Kepler had experienced since operations began in May 
2009 and it was classed as a Criticality 1 anomaly. Criticality 1 anomalies are those that represent an unacceptable 
risk or have high impact to achieving the Kepler baseline mission objectives. Onboard detection of a Criticality 1 
anomaly will automatically force the spacecraft into safe mode. 

This particular safe mode occurred when the team was preparing to download another month of scientific data 
from Kepler. The scientific data was not at risk and was subsequently downloaded successfully via the DSN 
communications link the day after the safe mode event. Engineers verified nominal performance of all of Kepler’s 
systems and successfully recovered the vehicle from safe mode. Science data collection was resumed by the evening 
of November 20. The safe hold entry was traced to an undesired interaction between the spacecraft’s Flight Software 
(FSW) and its star tracker. The root cause is understood. Near-term mitigation of the problem is in place and a long- 
term mitigation is to be implemented. The anomaly investigation has revealed three star tracker related issues. The 
first is that the star trackers unexpectedly drop stars and/or declare stars invalid, leading to a Lost-in-Space (LIS) 
condition. The second is that the star tracker remains in LIS mode for unexpectedly long time. The third and last 
issue is that star tracker Directed Search (DS) commands occasionally fail. 

The NESC team is still in the process of reviewing the details of the anomaly investigations and the associate 
mitigation or resolution plans. The Kepler management team, the NASA engineering team, and the contractor 
engineering team are using sound risk management principles to guide the process for the resolution of each 
anomaly and to set appropriate priorities. 


IV. Conclusion 

This paper has described how the NESC was formed as an independent organization dedicated to promoting 
safety through engineering excellence. A resource for the Agency, it is a valuable problem solving asset for the 
high-risk programs that NASA has always undertaken. NESC brings together some of NASA’s best engineers with 
experts from industry, academia, and other government agencies to address our highest risk, most complex issues. 
NESC strives to cultivate a Safety-focused culture focused on engineering and technical excellence, while fostering 
an open environment and attacking the Agency’s technical challenges with unequalled tenacity. 

The NESC is more than a problem-solving organization however. It is also an organization that works to 
improve the competence of our entire engineering workforce through the opportunity to work on challenging 
problems, through exposure to other people, tools, techniques and facilities from across the Agency, through 
discipline advancing proactive work, and through its promulgation of lessons learned via technical reports and the 
NESC Academy courses. 
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The backbone of the NESC is the ready group of engineering experts organized into 15 discipline areas TDTs. In 
this paper the purpose of the NESC GN&C TDT has been highlighted and a number of their experiences described. 
The members of the GN&C TDT have contributed to solving problems in many of NASA’s human spaceflight and 
robotic spaceflight Programs and Projects. Their collective efforts have ranged from the assessment of alternative 
launch abort systems, on-orbit robotic spacecraft anomalies, propellant sloshing impacts on launch vehicle flight 
stability and control, loads and dynamics support, and specialized ground testing of future flight systems. 

The NESC, because of its demonstrated ability to focus the technical talent from across all NASA Centers to 
bear on diverse high priority problems has become a valuable resource to senior Agency decision makers. The 
NESC has established itself as a reliable, credible and respected organization within the Agency and is an 
outstanding example of Engineering Excellence in practice. This is evidenced by the increase in requests, from all 
levels of the Agency, for NESC support in resolving problems, reviewing activities, and conducting special studies. 
The NESC, employing the advantages of distributed “virtual organization” architecture has shown its ability to 
efficiently concentrate appropriate levels of technical expertise when and where needed to independently address 
some of NASA’s most challenging and most visible problems. Some consider the NESC to be one of the Agency’s 
most positive post-Columbia success stories. 
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